mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 20:23:44 +08:00
488fba3c5f
* FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now
29 lines
611 B
Ruby
29 lines
611 B
Ruby
# frozen_string_literal: true
|
|
require_dependency 'content_security_policy/builder'
|
|
require_dependency 'content_security_policy/extension'
|
|
|
|
class ContentSecurityPolicy
|
|
class << self
|
|
def policy
|
|
new.build
|
|
end
|
|
|
|
def base_url
|
|
@base_url || Discourse.base_url
|
|
end
|
|
attr_writer :base_url
|
|
end
|
|
|
|
def build
|
|
builder = Builder.new
|
|
|
|
Extension.theme_extensions.each { |extension| builder << extension }
|
|
Extension.plugin_extensions.each { |extension| builder << extension }
|
|
builder << Extension.site_setting_extension
|
|
|
|
builder.build
|
|
end
|
|
end
|
|
|
|
CSP = ContentSecurityPolicy
|